From 330e0883fcbb3f1f662198b882e8784b9d151a05 Mon Sep 17 00:00:00 2001 From: Ivan De Marino Date: Thu, 10 Mar 2022 15:22:40 +0000 Subject: [PATCH] Update GH Action 'add-content-to-project' to use 'pull_request_target' to allow access to project secrets (#18) --- .github/workflows/add-content-to-project.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/add-content-to-project.yml b/.github/workflows/add-content-to-project.yml index 908d06b..f7e7513 100644 --- a/.github/workflows/add-content-to-project.yml +++ b/.github/workflows/add-content-to-project.yml @@ -5,9 +5,12 @@ name: "Add Issues/PRs to TF Provider DevEx team board" on: issues: types: [opened, reopened] - pull_request: + pull_request_target: # NOTE: The way content is added to project board is equivalent to an "upsert". # Calling it multiple times will be idempotent. + # + # See https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ + # to see the reasoning behind using `pull_request_target` instead of `pull_request` types: [opened, reopened, ready_for_review] jobs: